Since 2004, a source for ranting, reviews and InfoSec news

Menu

Removing Old JAVA

As part of deployment of JAVA 1.6 update 29, I decided it was time to take a closer look at removing older versions of JAVA.

At one point in time, new JAVA installs left all previous versions installed on the system. In 1.6 update 10, JAVA began installing JAVA into %programfile%\java\jre6. Each subsequent update would replace the version there before it in that directory. I became a bit slack in removing older versions. Even in June (the previous quarterly update), I only removed versions of JAVA older than update 10. In my post about that, I say “Later versions should be removed automatically.”This is incorrect.

Versions installed normally will behave this way. But it is still possible for an application to install in “static” mode so that its version remains. There are also automatic rules that JAVA uses to determine if an install is static or not. This document for JAVA 7 describes the behavior that I believe also occurs in JAVA 6 (aka 1.6)

By default a new version of JAVA is installed patch-in-place. In other words it replaces the version already there. If you attempt to install a older version of JAVA it will automatically become a static version. And of course a (bad) programmer can bundle an old version of JAVA and make it static. So older versions of JAVA can still crop up. And these older versions are vulnerable, and often unnecessary.

At first I was going to update my existing script to remove all 1.6 versions of JAVA. It quickly became apparent that this was going to take forever and also have issues with 64 bit computers.

This is where the community helped out. On the MyITForum SCCM email list there were several suggestions for better ways to remove old JAVA. I’m going with a uninstall script posted over at AppDeploy. I’m using the one marked version 3. It is a well commented VBScript with a help section and logging. Two gotchas. One is don’t forget you might need to whitelist the JAVA 7 clients. I also needed to check SCCM to see if there were any false positives. In other words would it remove any items that just happened to have JAVA in the Add/Remove Programs Display name. The script already handled 5 things like that. I added around another 5 based on what software is in my environment.